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(54) System and method for protection of digital works 



(57) A method of protecting a digital work uses a 
blind transformation function to transform an encrypted 
digital work into encrypted presentation data. The orig- 
inator's digital content is protected in its original form by 
not being decrypted. This method enables the rendering 
or replay application to process the encrypted document 
into encrypted presentation data without decrypting it 



first. Encrypted presentation data is then decrypted just 
before it is displayed to the user. The blind transforma- 
tion function is a function of the original transformation 
function. For example, the blind transformation function 
may be a polynomial of the original transformation func- 
tion. Alternatively, both the blind transformation function 
and the original transformation function may be any mul- 
tivariate, integer coefficient affine function. 
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Description 
Copyright Notice 

[0001 ] A portion of the disclosure of this patent document contains material which is subject to copyright protection 
The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent 
disclosure as it appears in the Patent and Trademark Office file or records, but otherwise reserves all copyriqht riahts 
whatsoever. a 

Related Application 

[0002] This application is a continuation-in-part application of application no. 09/1 78,529 filed October 23, 1 998. 
Field of the Invention 

[0003] The invention relates to document rights management, and more particularly to a method for protecting digital 
works which employs a blind transformation to transform encrypted digital works into encrypted presentation data. 

Background of the Invention 

[0004] One of the most important issues impeding the widespread distribution of digital documents or works via 
electronic commerce is the current lack of protection of the intellectual property rights of content owners during the 
distribution and use of those digital documents or works. Efforts to resolve this problem have been termed "Intellectual 
Property Rights Management" flPRM"), "Digital Property Rights Management" ("DPRM"), "Intellectual Property Man- 
agement" ("IPM"), "Rights Management" ("RM"), -Digital Rights Management"^ RM') and "Electronic Copyright Man- 
agement" ("ECM"). At the core of Digital Rights Management is the underlying issue of ensuring that only authorized 
users may perform operations on digital documents or works that they have acquired. Once accessed, the content 
must not be distributed or used in violation of the content owner's specification of rights. 

[0005] A document or work, as the term is used herein, is any unit of information subject to distribution or transfer 
including but not limited to correspondence, books, magazines, journals, newspapers, other papers, software photo- 
graphs and other images, audio and video clips, and other multimedia presentations. A document may be embodied 
in printed form on paper, as digital data on a storage medium, or in any other known manner on a variety of media A 
digital work, as the term is used herein, is any document, text, audio, multimedia or other type of work or portion thereof 
maintained in a digital form that can be replayed or rendered using a device or a software program. 
[0006] In the world of printed documents, a work created by an author is usually provided to a publisher which 
formats and prints numerous copies of the work. The copies are then sent by a distributor to bookstores or other retail 
outlets, from which the copies are purchased by end users. 

[0007] While the low quality of copying and the high cost of distributing printed material have served as deterrents 
to the illegally copying of most printed documents, it is far too easy to copy, modify, and redistribute unprotected elec- 
tronic documents. Accordingly, some method of protecting electronic documents is necessary to make it harder to 
illegally copy them. This will serve as a deterrent to copying, even if it is still possible, for example, to make hardcopies 
of printed documents and duplicate them the old-fashioned way. 

[0008} With printed documents, there is an additional step of digitizing the document before it can be redistributed 
electronically; this serves as a deterrent. Unfortunately, it has been widely recognized that there is no viable way to 
prevent people from making unauthorized distributions of electronic documents within current general-purpose com- 
puting and communications systems such as personal computers, workstations, and other devices connected over 

local area networks (LANs), intranels, and the Internet. Many attempts to provide hardware-based solutions to prevent 
unauthorized copying have proven lo be unsuccessful. 

POOP' Two basic fchemef have been employed to attempt to rolve the riorums protection problem: pectire con- 
lainert tsysiems wnicl, reiy on cryptographic mechanisms) anatiusteo system*. 

[0010] Cryptographic mechanisms encrypt (or "encipher") documents that are then distributed and stored publicly 
and ultimately privately decrypted by authorized users. Cryptographic mechanisms provide a basic form of protection 
during document delivery from a document distributor to an intended user over a public network, as well as during 
document storage on an insecure medium. Many digital rights management solutions rely on encrypting the digital 
work and distributing both the encrypted message and decryption key to the consumer's system. While different 
schemes are employed to hide the decryption key from the consumer, the fact remains that all necessary information 
is available for a malicious user to defeat the protection of the digital work. Considering that current general-purpose 
computers and consumer operating systems provide little in the way of sophisticated security mechanisms, the threat 
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is both real and obvious. 

[001 1] A •secure container* (or simply an encrypted document) offers a way to keep document contents encryptea 
until a set of authorization conditions are met and some copyright terms are honored (e.g., payment for use). After the 
various conditions and terms are verified with the document provider, the document is released to the user in clear 
5 form Commercial products such as IBM's Cryptolopes and Interest's Digiboxes fall into this category. Clearly, the 
secure container approach provides a solution to protecting the document during delivery over insecure channels, but 
does not provide any mechanism to prevent legitimate users from obtaining the clear document and then using and 
redistributing it in violation of content owners' intellectual property. 

[001 2] Cryptographic mechanisms and secure containers focus on protecting the digital work as it is being transferred 
w to the authorized user/purchaser However, a digital work must be protected throughout its use from malicious users 
and malicious software programs. Even if a user is a trusted individual, the user's system may be susceptible to attack. 
A significant problem facing electronic commerce for digital works is ensuring that the work is protected on the target 
consumer's device. If the protection for the digital work is compromised, valuable and sensitive information is lost. To 
complicate matters, today's general-purpose computers and consumer operating systems are deficient in the areas of 
is security and integrity. Protecting the work throughout usage is a much more complex issue that remains largely un- 
solved 

[O013] In the "trusted system" approach, the entire system is responsible for preventing unauthorized use and dis- 
tribution of the document. Building a trusted system usually entails introducing new hardware such as a secure proc- 
essor, secure storage and secure rendering devices. This also requires that all software applications that run on trusted 
20 systems be certified to be trusted. While building tamper-proof trusted systems is still a real challenge to existing 
technologies, current market trends suggest that open and untrusted systems such as PC's and workstations will be 
the dominant systems used to access copyrighted documents. In this sense, existing computing environments such 
as PC s and workstations equipped with popular operating systems (e.g., Windows and UNIX) and render applications 
(e.g., Microsoft Word) are not trusted systems and cannot be made trusted without significantly altering their architec- 
ts tures. ^ 

[001 4] Accordingly, although certain trusted components can be deployed, users must continue to rely upon vanous 
unknown and untrusted elements and systems. On such systems, even if they are expected to be secure, unanticipated 
bugs and weaknesses are frequently found and exploited. 

[00151 Conventional symmetric and asymmetric encryption methods treat messages to be encrypted as basically 
so binary strings. Applying conventional encryption methods to documents has some drawbacks. Documents are typically 
relatively long messages; encrypting long messages can have a significant impact on the performance of any appli- 
cation that needs to decrypt the document prior to use. More importantly, documents are formatted messages that rely 
on appropriate rendering applications to display, play, print and even edit them. Since encrypting a document generally 
destroys formatting information, most rendering applications require the document be decrypted into clear form before 
35 rendering it. Decryption prior to rendering opens the possibility of disclosing the document in the clear after the de- 
cryption step to anyone who wants to intercept it. 

[0016] There are a number of issues in rights management: authentication, authorization, accounting, payment and 
financial clearing, rights specification, rights verification, rights enforcement, and document protection. Document pro- 
tection is a particularly important issue. After a user has honored the rights of the content owner and has been permitted 
40 to perform a particular operation with a document (e.g., print it, view it on-screen, play the music, or execute the 
software), the document is presumably in-the-clear, or unencrypted. Simply stated, the document protection problem 
is to prevent the content owner's rights from being compromised when the document is in its most vulnerable state: 
stored, in the clear, on a machine within the user's control. 

[0017] Even when a document is securely delivered (typically in encrypted form) from a distributor to the user, it must 
45 be rendered to a presentation data form before the user can view or otherwise manipulate the document. Accordingly, 
to achieve the highest level of protection, it is important to protect the document contents as much as possible, while 
revealing ihem to the user at a tale stage and in a lorm that is dillicull lo recover into a useful form. 
[001 fi- In thft known sppio;x:i,'-r it- electronic documc n; i!ir lrii--uliw, Ihel r-r.-.r -ir--y encryption, an encrypted documenl 
is rendered in several separate steps. First, the encrypted documenl is received by the user. Second, the user employs 
so his private key (in a public key cryptosystem) to decrypt the data and derive the document's clear content. Finally, the 
clear content is then passed on to a rendering application, which translates the computer-readable document into the 
finished document, either for viewing on the user's computer screen or for printing a hardcopy. The clear content is 
required for rendering because, in most cases, the rendering application is a third-party product (such as Microsoft 
Word or Adobe Acrobat Reader) that requires the input document to be in a specific format. It should be appreciated, 
55 then, that between the second and third steps, the previously protected document is vulnerable. It has been decrypted, 
but is still stored in clear electronic form on the user's computer If the user is careless or is otherwise motivated to 
minimize fees, the document may be easily redistributed without acquiring the necessary permissions from the content 
owner. 
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rSin^l , ,!^",T?' to|y 8 P°° f P™f or immune to attack, some recent techniques protect digital works 
by limiting use of the digrtal work to a user-specified physical device. These techniques require the userto provide 

Sn^fTS °[ SV m Sta,e in,0miati0n fr ° m 1(16 System or pnysteal device * e «ser intends to use to render 
CPU I Z- T m10 T iM 18 ,yPl0a " y de,in6d 86 SyStem COnf '9 uration ""<"™«°" «* » system 
conZ ™ , IT' d6V,Ce ,demi,ierS ' N ' C identifierS ' drive confi 9^tlon, etc. In these techniques, the digital 
content « encrypted using a session key, then the session key, ratherthan using the user's encrypfion key, is encrypted 
usmg a combination of the system or state information and the user's credentials. Then bothihe encrypted cXnt 
TtlTj e «;^^tted to thedestinatlon reposftory. .n orderto usethe received encypted work, the useScomaS 

21,2^!? 6 (USUa " y ' rem0,e,y '° Ca,ed SOftWarS Pr00ram) which verifies the identity and 

£2?' r 9 f ' . h SyS,6m State ' deC,yptS the ses8ion key and flnal, V decf yPts the content for use 

[0020 Commercial applications such as the secure Adobe Acrobat reader and the secure Microsoft MediaPlayer 

Sr^T SySt6m d6ViCe identl,iere such as the CPU identifier orcertaln device serial numbers. 
S - IrZH ? ,? an ° peratiDn on the di 9 ital ^ ^plication verifies if the specified device presort 

morized d2Lf 8 di9i,al W ° rk haS n0t bSen transmlt,ed t0 an "authorized user (actually to an unaJ 

honzed devrce). Wh.le the programmatic check provides a minimal level of assurance. It depends on the security of 

themselves are particularly susceptible to the threat of spoofing. «*»"uriere 
A HH° bat Read !, r and MediaPla V er P rot9 « ion themes operate by allowing the rendering application to 

a level of protects adequate ,n many circumstances (i.e., if the user is trusted and the user's specified renderina 
device ,s not susceptive to attack). The weakness of the schemes Is that It Is based on the ^.^SnlLTnaZ 
nnC^r ° f ,h? cry P t0 9 ra P hic ^ "° r the i"tegrity of the Itoense voucher will be compromised 
Siden^«ndt n Jl U n, S .I™" of an au *entication technique than a protection technique, in that once the 

^ hLI! h , V , T '"formation, system state Information is vertfied or license voucher received, the content 

is decrypted to its clear state and then becomes vulnerable to attack. The digital work is afford no protection throuqh 

mnTt Z llt ™ 9 P ers <™' '"formation. In other words, for the user information approach to succeed there 

Z£n "r^ n, "S ueno " for users who would reveal their private Identity and credential information. 

S ' 9n v C , 10 *" S ° hemeS Wtlich fle auth(>ri2a, '°n a specific device is that they require the user 

oril^i jr'wM ,n ""J 6 - 9 -' cpu ™"°<" or other personal information) whfch raises a concern regarding 

di JZ h f 6 US6r d ' VU ' 9eS thS in ' 0m,ati0n vo,untarily < the user * s on| y « ho/she does not wish to 
* 8 thls n, "™» lon » no < «> the digital work) it would be desirable to provide a protection scheme that 
could secure a dtgital work on a users device without requiring private information. It would also bedeslraWe to provWe 

« ^^,2*. S T "S^l th6 Pr ° ,eCt,0n °' the ^ or the integrity of the license voucher 

N would be desirable to prov.de a DRM solution which delayed decryption of the digital content to the latest possible 

^LJ^T^ 11 W0U ! C ' bS b / ne,iCial tC pr ° Vide an e,ectronic documem dis,ribut io n s oheme that minimizes the 
distnbuted document during the decryption and rendering processes. ^uonicaiiy 

Summary of the Invention 



55 



taaf of tt "JK^ 9 h T em { SPD ) ' aCC ° rding t0 ,he inV6ntipn ' iS n0t s^"* ,0 the above-stated disadvan- 
that inc u !™ nf Z 7£! 9 80 enCrVPted d0CUmem Wrtn 3 Set ° f P 8 """"*" ™* ^ executable code segment 
that Includes most of the software necessary to extract and use the encrypted document, the self-protecting document 
accomplishes protection of document contents without the need (or additional hardware and software 
0026] The SPD system is broken down between a content creator (analogous to the author and the publisher of the 
irfldtLonal model) and e content dir.rihu.r.r. The a...hor/p,.hli f her crater the rrioin,.! rirrumer,, Pnr' deride wh P - ' 
"a'^^jo.b^p^uedjj;* oistriDutounen cusiom, 2 es the- aocument to. use D y various users, ensuring via the 

customization that the users do not exceed the permissions they purchased" ' 

SySt6m ' * he f'-P^ing document is decrypted at the last possible moment. In an embodiment 
of the ,nvent,on. vanous rendering facilities are also provided within the SPD, so that the use of the SPD need not refy 
upon external apphcation that might not be trustworthy (and that might invite unauthorized use). In an alternative em- 

ESKJr^ " SPeC " ied ,<>r 8 r8nderin9 8PP,iCa,l0n 10 ln,eract with tha SPD 

[0028] In one embodiment of the invention, the encrypted document is decrypted by the user's system while simul- 
taneously -polanztng-it with a key that is dependent, at least in part, on the state of the L. system. The potafeZ, 
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may be cryptographicalty less secure than the encryption used for distribution, but serves to deter casual copying. In 
this embodiment, depolarization is performed during or after the rendering process, so as to cause any intermediate 
form of the document to be essentially unusable. 

[0029] In another embodiment of the invention, a method of protecting a digital wo* uses a blind transformation 

5 function to transform an encrypted. digital work into encrypted presentation data. The originator's digital content is 
protected in its original form by not being decrypted. This method enables the rendering or replay application to process 
the encrypted document into encrypted presentation data without decrypting it first. Encrypted presentation data is 
then decrypted just before it is displayed to the user. This method improves the overall performance of the process 
(both decryption and rendering) by minimizing the decryption overhead (since pre-rendering decryption is generally 

w more time and resource consuming) and postponing the decryption to a late stage of the rendering process. 

[0030] Blind transformation or blind computing can be accomplished in one of several ways. Most digital works include 
formatting information, which when encrypted cannot be processed by the replay or rendering application (the trans- 
formation function which transforms a digital work into presentation data). If the digital work is encrypted with a format 
preserving encryption scheme, any transformation function may be used. This is particularly useful in that any com- 

is mercial replay or rendering application can process the encrypted digital work into encrypted presentation data. Oth- 
erwise the blind transformation function is a function of the original transformation function. For example, the blind 
transformation function may be a polynomial of the original transformation function. Alternatively, both the blind trans- 
formation function and the original transformation function may be any multivariate, Integer coefficient affine function. 
[0031 ] Not all encryption schemes are format preserving encryption schemes. Additive encryption schemes may be 

20 U sed with all document types and all associated transformation functions. In some replay or render applications, for 
some types of documents, portions of the format information may be left in the clear. In other types of documents ail 
of the format information may be encrypted. In some types of documents, an additive encryption scheme may be used 
to encrypt the format information and any encryption scheme may be used to encrypt the content or data portion of 

the document. ^ 
23 [0032] In particular, additive encryption schemes can be used to encrypt coordinate information of documents-so 
that some rendering transformations can be performed on the encrypted coordinate data. In a special class of docu- 
ments token-based documents, for example, there are two places during the format-preserving encryption that use 
encryption schemes: one is for coordinate or location information x and y of the particular tokens within the document, 
and the other is for the dictionary of individual token images. In order to perform blind transformation on the individual 
so coordinates of the particular tokens in the document, the first encryption scheme must be an additive encryption 
scheme However, the token dictionary may be encrypted with any encryption scheme. 

[0033] An encrypted token dictionary may still leak information such as the sizes of the token images. If this is a 
concern (such as if the token dictionary is small), the tokens can be padded with some extra bits before encryption. 
The padding can result in encrypted token images of a same size or several fixed sizes. For a token-based document, 

35 the coordinate information of the tokens in the dictionary may not be encoded. If it is desired that coordinate information 
be encoded say, as Huffman codewords, the same approach that is used to encrypt the identifiers can be used to deal 
with this situation. Basically, the codewords in location tables are left in the clear, and the codewords in the codeword 
dictionary are hashed using some one-way hash function and their corresponding coordinate information is encrypted. 
During rendering the codewords in the location tables are first hashed and then used to lookup their encrypted coor- 

40 dinate information. 

[0034] I n another embodiment of the invention, a digital work and a system context (or resource information or system 
resource) are polarized enabling trusted rendering or replay of the digital work without depolarization of the digital 
content In this embodiment, the digital work is of the type which includes digital content and resource information. 
Resource information may include information used by a replay application to format or process the digital work into 

45 presentation data. Resource information may include, for example, a collection of system resources available to the 
replay software on a particular system, such as the Font Table, Color Paietie : System Coordinaies and Volume Setting. 
[0035] Different lypes of digilal works may be polarized. In addilion to polarizing typical document type digital woi ks, 
...uciii. li.c vififcc- oiCMlc.i wcn:t cr.r. r.£ r»< I.Mi:.f-r\ "Uk tWoWw. won ;.i.c syr w-.v. . i-hir-;-. pct.-.ri;.fcr ftt a msr.i 
lacturer or content owner's location using a polarization engine, A polarization engine is a component used to transform 

so the digital work and system context to their respective polarized forms. The polarization engine employs a polarization 
scheme which relies on some polarization seed, an element used to initialize and customize the polarization engine. 
[0036] Various polarization schemes may be used to polarize a digital work. For example, a stateless polarization 
employs a random number as a seed to transform a digital work into a polarized digital work. A state-based polarization 
scheme employs a seed based on a system state or characteristic of a system to transform a digital work into a polarized 

55 digital work that is associated with that system state or characteristic. A dynamic state-based polarization scheme 
employs a seed based on a dynamic system state or characteristic to transform a digital work into a polanzed digital 
work. In this embodiment, the polarized digital work will typically be provided with a polarization engine for repoianzing 
the encoded digital work and the encoded system context according to the dynamic state-based polarization- scheme 
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a digits, work is ordercd, a copy of a polT^^ When 
made. The polarization seed is selected .nd^SST^3S?r^' Ca " edthe SyS,em ° 0n,ext ' fe 
polarization scheme may be used for the system ^Xl^. ^^ t^ 00ntext are P° larized A dlffere "t 
seed is the same for both. The polarized dSwoTlnd oXLJ? " ^ W ° fk - H ° Wever "» P 0 "*"*" 
rep.ay or rendering on a reptay or rendelg^Z ^ ar6 to P rovlded t0 the u «r for 

JSee^Se^ 

tion, the replay application uses the Xzed reS 

presentation data P S0UrCe lnforniat,on *> transform a polarized digital work Into clear 

[0039] If only the digital content of a dialtal work Is Miar^* ,u 

clear, the replay application will be a^p^CS^^? T""" WP ° ]at[Zeti 0r ,n the 

means . depolarizer must depolarize the data Z h 9 ' n, ° P ° ,ariZed P resen, ^n data. This 

the user. If a portion of a digftal ^rLoZl TlZl c I presenta,ion data su ^ble for viewing or use by 
transformsthepoianzeddig^^ 

the polarized digital work into clear presentation da Hn or Z a £ anMd res °""* information to transform 

P°'arized. The replay is blind in that ^ 

10040] In.hisembodiment.apo.arizedSteirS^ 

context (resource information) to create X^SS^ZT/* T Usin9 a P^ed^tem 

party application. The replay applicatio ^ne^ no^cul ^l ! " ay aPP ' iCati ° n °* n be a "V -^erclallr third 
engine is required. Therep^^ 

using polarized system reTouLsTand ^ (lt pr0CeSse8 P olarized «** 

such that the ability to replay it u ing a software X£l d^H ^ ° r enCOdM the wo * 

protecting the content throughout use iS " ed t0 a speclfic resource information, thus 

work encoded in the polarized form (there is no eyniw. . !. ' he b " nd replay kee P s «•» digital 
ofthe replay process'nthebiindTeS^ 

presentation data is generally of a lesser quality than the orient Z 5*" de P° ,an2ed "» clear. Since 

So^nr nnm be easi * <* at s t^j&Kir'^ data is ^ 

bl.d replay system of the invention by polaSS"^ 
Brief Description of the Drawings 

STbldl^ 

embodiment of the intenTn' 9 W "° n 01 eleC,r ° nic docume "' s fl ""<i to a simple 

e^lVr^ 

Sg to an 'J^^ST^' ** **" ^ h 3 d — - 

FIGURE 7 is a flow diagram, from a user's perspective, iiiustrating the actions performed in handiing and using a 
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self-protecting document according to the invention; 

FIGURE 8 is a graph illustrating several possible paths between an unrendered and encrypted document, and 
rendered and decrypted presentation data; t 
FIGURE 9 is a How diagram illustrating a polarization process according to the invention m which document format 
5 information remains in the clear for rendering. t ... . 

FIGURE 10 is a block diagram of a method of format preserving encryption and trusted rendenng according to the 

invention; 

FIGURE 11 is a simple example of a document to be tokenized; 
FIGURE 12 is the token dictionary for the document of Fig. 11; 
io FIGURE 13 is the location table for the document of Fig. 11 ; 

FIGURE 14 is a block diagram illustrating a process for generating a polarized digital work and polarized system 
resource according to the invention; 

FIGURE 15 is a block diagram illustrating the conversion of a digital work into image data according to the art; 
FIGURE 16 is a block diagram illustrating a system for blind replay of a polarized digital work according to the 

15 FIGURE 1 7 is a block diagram illustrating another system of blind replay of a polarized digital work according to 

the invention; 

FIGURE 18 is a block diagram of an example structure of a digital document; 
FIGURE 19 is an example digital document; 
20 FIGURE 20 is an example of the digital document of Fig. 1 6 after it has been polarized; 

FIGURE 21 is block diagram of an example structure of a resource information or system context for a digital 
document; 

FIGURE 22 is a block diagram of an example font table; and 

FIGURE 23 is block diagram of the font table of Fig. 22 after it has been polarized. 

25 

Detailed Description of the Preferred Embodiments 

r0044] The invention is described below, with reference to detailed illustrative embodiments. It will be apparent that 
the invention can be embodied in a wide variety of forms, some of which may be quite different from those of the 

30 disclosed embodiments. Consequently, the specific structural and functional details disclosed herein are merely rep- 
resentative and do not limit the scope of the invention. ♦ 
[00451 Figure 1 represents a top-level functional model for a system for the electronic distribution of documents, 
which as defined above, may include correspondence, books, magazines, journals, newspapers, other papers, soft- 
ware audio and video clips, and other multimedia presentations. 

35 F0046] An author (or publisher) 110 creates a document's original content 112 and passes it to a distnbutor 114 for 
distribution Although it is contemplated that the author may also distribute documents directly, without involving another 
party as a distributor, the division of labor set forth in Figure 1 is more efficient, as it allows the author/publisher 1 10 to 
concentrate on content creation, and not the mechanical and mundane functions taken over by the distnbutor 114. 
Moreover, such a breakdown would allow the distributor 1 14 to realize economies of scale by associating with a number 

40 of authors and publishers (including the illustrated author/publisher 110). 

r0047l The distributor 114 then passes modified content 116 to a user 118. In a typical electronic distribution model, 
the modified content 1 1 6 represents an encrypted version of the original content 1 1 2; the distributor 1 1 4 encrypts the 
original content 112 with the user 11 8's public key, and modified content 116 is customized solely for the single user 
1 1 8. The user 1 1 8 is then able to use his private key to decrypt the modified content 1 1 6 and view the original content 

[0048] A payment 1 20 for the content 1 1 2 is passed from the user n 8 to the distributor 1 1 4 by way of a clearinghouse 
122 The clearinghouse 122 collects requests Irom the user 116 and from other users who wish lo view a particular 
d«.i....H«. m*. ctoerinohuur* ^ Lhv <»«eru r^-rr.ent imorr.^icr., £ ...... a c*M; uutMnw, rred.i o.crc! in.i.f«. 

tions or other known electronic payment schemes, and lorwards the collected users' payments as a payment batch 

50 124 to the distributor 114. Of course, it is expected that the clearinghouse 122 will retain a share of the user's payment 
120 In turn, the distributor 114 retains a portion of the payment batch 124 and forwards a payment 126 {including 
royalties) to the author and publisher 110. In one embodiment of this scheme, the distributor 114 awaits a bundle of 
user requests for a single document before sending anything out. When this is done, a single document with modified 
content 11 6 can be generated for decryption by all of the requesting users. This technique is well-known in the art. 

55 [0049] In the meantime, each time the user 118 requests (or uses) a document, an accounting message 128 is sent 
to an audit server 1 30. The audit server 1 30 ensures that each request by the user 1 1 8 matches with a document sent 
by the distributor 1 1 4; accounting information 1 31 is received by the audit server 130 directly from the distnbutor 1 1 4. 
Any inconsistencies are transmitted via a report 132 to the clearinghouse 122, which can then adjust the. payment 
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in ch ar9 es that vary, depending on £"£2 or other efantTf ^ ^ Pem,,SS ' 0nS ^ 

self-protecting documents * PP * * the SyStem and me,hod sst forth herei " *>' the distribution of 

EenJSZa^ WM. D -n a pHor ar, system for eiectronic 

"™nte. Those encrypted docu^^^^^ 
» users. This provides a basic fomTo proton d^^SlST? P f V deCif>hered PriVa,ely by au,hori2ed 

user's computer or entered by SS^S^^ 18 8 prtWto - key ' Whlch is stored lo «% * the 

» similar or identical to the oSSS f ' 8 """^ h C,6ar ^ 216 

es. ^rs^^isrs est 2181 ^ ~ s p ~» - ». - 

data immediately suitabie tor dlsp ay^fa v deo sc^e "^ 2KS,T7 ? thfe k ' nd ' PreS6nte,i0n data 220 ls 
document type. for prln,ln9 as a nard «>Py, or for other use depending on the 

S0 Kor^^ 

IIO.Evena^imateLrmayb'rpe^ 

order to redistribute and use It at will wLut honoZ Z 1 !n . V V the d0Cument ,n ,ne clea ' in 

above, the present invention is <J*^!^,^^ ^ ° f ,he * bussed 

document during the rendering process 0 n L use* " " " ° btain ' n9 8 ,0m " 

[00S6] Figures looks simi.arto FigureTin\hat a m^''^'" R9Ure3 ' 
(which uses a private key 314) and ^Z^ZZ^eJ^ ° * Pa8Sed '° a decryption 8tep 312 
tional layer of protection is provided by a 7r«XZ K t££2T p ~ ,,0n data 318 ' However > a " «ddi. 
decrypted and rendered wfthout ever i^X^i^TT°^^^^^ mmo ^ 
intercepted. This is accomplished by ndSJ TZZSlti rendfriJ 1?' 6 °' F ' 9Ure 2) aVailab,e t0 be 

described below with reference to Figure STh^^^^^^T^ * he d0CUment 310 > 38 wl " be 
user's interaction with the SPD. proEqirta 1^222^ " T^"" 8 arS adap,ed t0 ,lmlt the 

paste operations) according to ihe useS pensions ' ** ^ d ° CUmem ° r pec,0 ' m,n 9 ™™+ 

Xltot^ 

cont e nts410arep a ssedtoapoteS 41?S 

step 41 6, decrypts the document contents' 4 1 0 0!™!!? priVate key 41 4 and ' via a decf yP«on 

the user's system. Concurrently, the polanzer 412 receives a polarization key 418 from 

[0058J This polarization key 41 8 is used by the D0larizer4i>fntr e ,no»„ m ,«. ^ 
contents 420. All of these operations can takepK 

the polarizer 41 2 does not store a clS^onoZe^Xni 2"* 7 ° f Pr ° teCtiVe m «**™™. Prided 

[0059] Inoneembodimentoftheinv JH Zett^^Tr^^" 9 1 TT'^" 9 *• 

from the user's system's Internal state such a the X LXJ ? reS ® nt8acomb,na,,0 "o'data elements taken 

It is useful to include some time-derived 

polarized contents 420 would not be useM Furihe re IV^ u 7 ^ 418 S ° that in,erce P«°n and seizure of 

system .ime would have chano ,00 m Icn " WOUld not be P ossib '^. as the 
JOUfaO] Then, once again wittim & proiectino shell 11.. ,. ri- ^, 

cation 424. As discussed above typical rendering l^i J £ .k , 4Sft are passed ,0 a renderin 9 app"- 

Adobe Acrobat Reader. H**J^£^J£Z£Z, ™ a PP""«ions such as Microsoft Word or 

polarized contents 420, as the 2£^?„lS£2 IS^T^^ *" ^ '° the 

scrambled in the polarization process USS USed by ,ne rendorBr wl " hav « been 

Eco^^^ 

below, in connection with Figure 9 andprocessable by the appl,cation. The Impossibility will be discussed 

[0062, The output of the rendering app, fca tion Is po.arized presentation data 426, which has been formatted by the 
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rendering application 424 but is still polarized, and hence not readable by the user. The polarized presentation data 
426 is passed to a depolarizer 428. which receives the polarization key 418 and restores the ongmal form of the 
document as presentation data 430. In one embodiment of the invention, the depolarization function .s , comb.nec with 
the rendering or display function. In this case, the polarized presentation data 426 ,s receded directly by a display 

5 device which can be separate from the user's system and receive data over a communications channel. 

[0063]' Creation of the polarization key 418, the rendering application 418, and the depolanzation step 428 are all 
elements of the protecting shell 422; these are tamperresistant program elements. It is contemplated that all compu- 
tational (or transformation) steps that occur within the protecting shell 422 will use local data only and will not store 
temporary data to any globally accessfole storage medium or memory area; only the explicit results wM be exported 

w from the protecting shell 422. This approach will prevent users from easily modifying operating system entry po.nts or 
scavenging system resources so as to intercept and utilize intermediate data. • 

[00641 It should be noted that the presentation data 430 of Figure 4. In alternative embodiments of the invention, can 
be either device independent or device dependent. In the device-independent case, additional processing by a device 
driver (such as a display driver or a printer driver) typically is necessary to complete the rendenng process, n the 

« presently preferred device-dependent case, the device-specific modifications to the presentation data have already 
been made (either in the rendering application 424 or the depoiarizing step 428), and the presentation data 430 can 

be sent directly to the desired output device. 

[0065] The decryption schemes described with reference to Figures 3 and 4 above are enabled by a unique document 
structure, which is shown in detail in Figure 5. As discussed above, certain operations performed by the system and 

20 method of the invention require trusted components. One way to ensure that certain unmodified code is being used to 
perform the trusted aspects of the invention is to provide the code along with the documents. The vanous components 
of a self-protecting document according to the invention are illustrated in Figure 5. 

[0066] The problem of document protection is approached by the invention without any assumptions on the presence 
of trusted hardware units or software modules in the user's system. This is accomplished by enhancing a documen 
25 to be an active meta-document object. Content owners (i.e., authors or publishers) attach rights to a document that 
specify the types of uses, the necessary authorizations and the associated fees, and a software module that enforces 
the permissions granted to the user. This combination of the document, the associated rights, and the attached software 
modules that enforce the rights is the self-protecting document ("SPD") of the invention. A self-protecting document 
prevents the unauthorized and uncontrolled use and distribution of the document, thereby protecting the nghts of the 

30 K06TI Te'Telf-protecting document 510 includes three major functional segments; an executable code segment 
512 contains certain portions of executable code necessary to enable the user to use the encrypted document; a rights 
and permissions segment 514 contains data structures representative of the various levels of access that are o be 
permitted to various users; and a content segment 516 includes the encrypted content 116 (Figure 1) sought to be 

[0068? T^preferred embodiment of the invention, the content segment 516 of the SPD 510 includes three subsec- 
tions- document meta-information 518 (including but not limited to the document's tide, format, and revision date), rights 
label information 520 (such as a copyright notice attached to the text, as well as rights and permissions .nformation), 
and the protected content 520 (the encrypted document itself). - ;.• 

40 [00691 In one embodiment of the invention, the rights and permissions segment 51 4 .ncludes information on each 
authorized user's specific rights. A list of terms and conditions may be attached to each usage right. For example, user 
John Doe may be given the right to view a particular document and to print it twice, at a cost of $10. In this case, the 
rights and permissions segment 514 identifies John Doe. associates two rights with him (a viewing right and a pnnt.ng 
right), and specifies terms and conditions including the price ($1 0) and a limitation on printing (twice). The nghts and 

45 permissions segment 514 may also include Information on other users. 

[0070] in an alternative embodiment, the rights and permissions segment 514 Includes only a link to external Infor- 
mation specifying rights inlormation. In such a case, the actual rights and permissions are sloi ed elsewhere , lor example 
oi, fc ne.|worhx-openk S .kM, l , e r,,v,, W i,id,,r,uilr.. tlU *ri«}«^*mU*c*.s.«w r,l ir v u .!.<■<■.-. U,U approver, provwe, 
the advantage that rights and permissions may be updated dynamically by the content owners. For example, the price 

so for a view may be increased, or a user's rights may be terminated if unauthorized use has been detected 

[00711 In either scenario, the rights and permissions segment 514 Is cryptographically signed (by methods known 
in the art) to prevent tampering with the specified rights and permissions; it may also be encrypted to prevent the user 
from directly viewing the rights and permissions of himself and others. 

[0072] The executable code segment 512, also called the "SPD Control," also contains several subsections, each 
55 of which comprises a software module at least partially within the executable code segment. In one embodiment of 
" the invention, the Java programming language is used for the SPD Control; however, it is contemplated that any plat- 
form-independent or platform-specific language, either interpreted or compiled, can be used in an implementation of 
this invention. 
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depending on the specified rights ^^u^T^l^T t' a " d ,0 pe^11i, or *"* ,he «*>n 
connection with Figure 7 ° ° f the r ' 9htS enforcer 524 wi " be in further detail below, in 

embodiment of the invention, the poEzaSTnS? «£ I ,™ ? "L diSCUSSed above - ln 8 P refe " ed 

polarized presentation data Therefore If that datels lnte£l«rt fl^ de P olarizat ">" engine 528 Is 

further depolarization which depends on, KrVZ*, TSS^ZT 1 ** " ** *~ ~™ M 

Ep^.^ 

For example, if the user purchaselj suVSnt tahZ !^ 9 1 ° ^ P 6 ™ 1 **™ ^gmentSU. 
«*~^^^^^ 

" Sengfne^ 

SPD apple,, or amatively M^^^^^^JT^ ^ 532 M b6 ,ncluded *»* »• 

610 is created from three items: the original SZSZ^ZFZ^^ PMar U8er ^ SPD 
* spectotion 614; and an optional watermark l?6 ' < u ™ncrypted) form; a high-level rights 

dered" in the content pre-processina stec so that h X \ T ' 71,6 COntenf 612 ls essentially "pre-ren- 
SPD. Forexampie, ^LoZ^ZZe o^iLTl U^^^T^ Wlh USe *' ^ a " d *• 

> to a different format speciaily ada^o^^^^^ or Adobe **** (".PDF) format 

invention, muKiple versions of the'con ent 6 12 ar ge «*TXcZ!« ^ ^ ^ emb ° diment ° f the 
generic SPD 610; those different versions may ZX^^^^^T' 0 ^ SteP ^ St0red in the 
[0082J The high-level rights specification eiiSSZESZT^^ "ser according to his needs, 
rights specification is tailored to apanMm^ZTZZn^T™? 300688 rights are P e ™^«>le. Such a 

' classes of downstream users. FweS^SSi^^ 

option lo purchase a version of ,he document that "times out" «"•? JnTrSSnT^l ^' BlWen ,hS 

motions are desert w»h referee ,o a detailed exampl whLT™^ £T " ^ « 

1001.^ Cigrtal Property hicl, l: Language (DPBLj i-- a lane..- ,-, » • 

provides a mechanism in which different terms and condi on!= 11 k ' , "* eC "' Sp6Ci ' y r, ' 9h,£ ,or di 9 ital work£ - » 
fications are represented as --^iSp^SSSTS * ^ Ri9h ' S SpeCi " 

entitled "System for Controlling the Distribution and Us o f DigL,' 1^21 ! ^ S ' 715 ' 4 ° 3 10 St6,lk ' 

SLt^rl^ 

called "rights groups" Each right within a rights g^^S^SXl T J™*** named W 
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can be performed, and so on. DPRL allows different categories of rights: transfer, render rights, derivative work rights, 
file management rights and configuration rights. Transport rights govern the movement of a work from one repository 
to another. Render rights govern the printing and display of a work, or more generally, the tfansm.ss.on of a work 
through a transducer to an external medium (this includes the "export" right, which can be, used to make cop.es in the 
clear) Derivative work rights govern the reuse of a work in creating new works. File management nghts govern making 
and restoring backup copies. Finally, configuration rights refer to the installation of software in repositones. 
An exemplary work specification in DPRL is set forth below: 

(Work: 

(Rights-Language- Version: 1.02) 
(Work-ID: "ISDN-1-55860-166-X; AAP-2348957tut") 
« (Description: "Title: 'Zuke-Zack, the Moby Dog Story' 

Author 'John Beagle* 
Copyright 1994 Jones Publishing") 
20 (Owner (Certificate: 

(Authority: 'library of Congress") 
(ID: Murphy Publishers"))) 
(Parts: "Photo-Celebshots J>ogs-23487gfj" *T>og-Breeds-Chart-AKCr) 
(Comment: "Rights edited by Pete Jones, June 1 996.") 
3Q (Contents: (From 1) (To: 16636)) 

(Rights-Group: "Regular" 

(Comment: "This set of rights is used for standard retail editions.") 
35 (Bundle: 

(Time: (Until: 1998/01/01 0:01)) 

(Fee: (To: "Jones-PBI^H48546789"XHouse: "Visa"))) 

40 (pi ay: 

(Fee: (Metered: (Rate: 1.00 USD) (Pen 1:0:0) (By: 0:0:1)))) 

(Print: 

45 (Fee: (Per-Use: 10.00 USD)) 

(ViivAn. 

(Certificate: 

50 

(Authority: "DPT 1 

(Type: *TrustedPrinter-6"))) 

5 5 (Watermark: 
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(Watennark-Str: 'Title: 'Zeke Zack - the Moby Dog' Copyright 
5 1994 by Zeke Jones. All Rights Reserved") 

(Wateimark-Tokens: user-id institution-location render-name 
render-time)))) 

io (Transfer ) 

(Copy: (Fee: (Per-Use: 10.00 USD))) 
(Copy: (Access: 

(User (Certificate: 

(Authority: "Murphy Publishers'*) 

20 (Type: "Distributor))))) 

(Delete:) 

(Backup:) 

25 (Restore: (Fee: (Per-Use: 5.00 USD))))) 

=™E======= 

author/publisher 110 for transmission to the dlsZtoMllF.gure T) ° P " * 6nCryPt6d by ^ 
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[0090] The resulting custom SPD 632 is then transmitted to the user 118 by any available means, such as via a 
computer network or stored on a physical medium (such as a magnetic or optical disk). 

[0091] The operations performed when a user receives an SPD are depicted in the flow diagram of Figure 7. The 
SPD is first received and stored at the usefs system (step 710); in many cases, it is not.necessary to use the SPD 

s right away When usage is desired, the user is first authenticated (step 712), typically with a user name and a password 
or key The system then determines what action is desired by the user (step 714). When an action is chosen the rights- 
enforcement step of the invention (step 71 6) verifies the conditions associated with the desired action (such as the 
fee, time, level of access, watermark, or other conditions); this can be performed locally via the SPD applet 51 2 (Figure 
5) or by accessing a rights enforcement server. 

w [0092] If the rights enforcement step (step 716) fails, an update procedure (step 718) is undertaken. The user may 
choose to update his permissions, for example by authorizing additional fees. After the satisfactory verificat.on of con- 
ditions a pre-audit procedure (step 71 8) is performed, in which the SPD system logs verification status to a tracking 
service (e g the audit server 130 of Figure 1). The content is then securely rendered to the screen (step 722) as 
discussed above. When the user is finished, a post-audit procedure (step 724) is performed in which the amount of 

15 usaqe is updated with the tracking service. The SPD system then awaits further action. 

[00931 The protection yielded by the SPD Is derived from the user's inability to capture a useful form of the document 
at any intermediate stage during the rendering process. This is accomplished by decrypting the document contents to 
a clear form at the latest possible stage, Ideally in the last step. 

[0094] The SPD decryption model is illustrated in Figure 8. E denotes the encryption function performed by the 
20 publisher D denotes the decryption performed at the user's system, and R denotes the rendering transformation. Many 
prior systems use a first sequence of transformations 810, D(E(x)) followed by R(D(E(x))). As stated previously, the 
early decryption leaves the document in a vulnerable state. Ideally, the transformations are performed in the reverse 
order 812, R'(E(x)) followed by D(R'(E(x»). This postpones decryption to the latest possible time. 
[0095] The existence of R\ a rendering operation that can be performed before decryption, is determined by the 
25 following equality: 

D(R'(E(x)))=R(D(E(x))) 

so m case that the encryption and decryption functions are commutative, that is. E(D(x)) = D(E(x)) for any x, the existence 
of R' is ensured: 

FV (y)=E(R(D(y)))fory=E(x) 

35 In practice encryption and decryption functions in popular public-key cryptographic systems such as the RSA system 
and EIGamal discrete logarithm system satisfy the commutation requirement. This means that the transformation R 
exists if these cryptographic systems are used for encryption and decryption. 

[0096] The path x* = D(R'(E(x))) portrays an ideal SPD solution to the document protection against unauthorized 
40 document usage and distribution. A scenario of distributing and using a document can be described as follows. When 
a user purchases the document, the document is encrypted using a user's public Information and is transmitted over 
an insecure network channel such as the Internet. The encrypted document has the rights information attached to it 
and a protecting applet 512 that enforces the rights and permissions granted to the user by the content owner. Upon 
a user's request on using the document, the applet verifies the rights and permissions and generates from the encrypted 
45 document the presentation format of the original document. As any Intermediate form of the document before the final 
presentation data is encrypled with the user's private information the SPD model of document protection ensures that 
any intermediate form of the document is nol useful to other systems wherever ii is intercepted. 
|U0S7j Clearly, this ideti rucric-i relies on whetlw i,: m-; in* lranflcrmr.uoh I ' ir.r.l corresponds to the rendering 
transformation R can becomputed efficiently, and in particular on whether or not an invocation of the decryption funct.on 
so D is necessary during an implementation of R\ A trivial case in which R' can be implemented efficiently is where R is 
commutative with the encryption function E. When this happens, 



55 



R*(y) = E(R(D(y))) = R(E(D(y))) = R(y) 

fory=E(x). In this case, R' = R. , 
[0098] Consideration of Figure 8 reveals that many intermediate solutions (e.g., intermediate solutions 814, 816, 
and 818) to the document protection problem may exist on the user's system between the two extremes x* = R(D(E 
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(x))), which has no protection on x = DtBlx)) and x" - D/RVF/vw k ,. ,j , 

set forth above). As depicted in Figure 8 one m fZSSS^^ ? u * PM °" (under,he assu ™Pti°ns 
presentation daiax'thaS^ 
transformations. Again, it should be recoanlS 

level to the document. re °°S™«l that delaying the decrypt™ D in any path Increases the protection 

KL£ !^S^!^i^ TT 9 decryption 10 ,he last possible m « • 

This possibility is show £ Rg Je 9 Beqinnha withe ITT' "* T ^ " ^ d0CUment as 8 w "oto. 
not exis, in an] single k^iSSS K ^LSS^ rt £T^^ W - V"" * W *" 
step 412 of Figure 4), the document is sold fsteo ai« I S S 'r» I er a translent state «*u"lng within 
914 is polled <step 918, using £*^^%^7^^^»™*P^ 
This results in polarized content 924 that can be rendered tnLZS!? . ■ clear format portion 916. 

content, it should be observed that th* tZti^lll TL f T presen,a,ion data «* decrypting the 

work 1010 has beenencryp tec 72 ^ a forr^at oZLl 9 T 101 ° ^ replay application 1012. Digital 

generate encrypted preset! ^^^pSSl^oiT^ aPP,,Ca,, ° n 1 ° 1 2 *° 
where it is decrypted into dear presentation dateTo 2 0. Pr^te Ion l te s h ^i"" 1018 

regenerated into the original digital form If oresentatlon rtJrl inoT k the Clear ' but less likel V to b <> 

further processing is required. S^^S^S^l* " US6d ^ by ^ USer ' ,hen no 

Printer. In such a case, presentation ^S^Z^T 7 ? 9 '* ^"'^ "* " diSplay System such 88 a 
of a printer this could be a decCoseTl oS which ™t h 8y8tem ' S renderin9 flp P ,teation < in the — 

to display device 1026 "* mP ° Ser) 1022 "*»* 9 enerated ™* data 1024. Image data 1024 is then provided 

x, and Cathy wishes, for privacy concerns thit the ^tranXt i,^ h ^ ""^ da,a 3 and her P rivate 

and the function value F(a,x). F^SCJi^^" ^ h W,t ^ SteVe knowin 9 her P"vate data x 
eyes blindfolded. What this means to S^JS. * 1 C ° mpUteS F(a ' X) for Cathy but witn h « 

data E k(x) encrypted using ^^^S^T^I !T *?" P9rf0rm the ,ransf °-™«on only with 
k. .f Steve can perform the trans^ ^ F < a '*» a 9 a <" encrypted using her key 

-.andtheresu^ 




F(a.x)<—- F'(a,E(x» 



data x as well as the function vaiue F(a, x), he catfes out a ^SSSSSSSSS W ^ 

[0102] Aprotocolforhnndtransformationcanbedescrlbedasfollowsforri 



(i) Calhy encrypts x using her encryption key k t resulting E ( (x) 



(iii) Sieve evaluates the modilieo versioi, K ot the lunction h at the ci*-, n-,- 

(iv) Steve returns the result P(a,E k <x)) back to Cathy 66,10 enC ^ ° alS ^ 

(v) Cathy decrypts F(a,E,(x)) using her decryption key k-i and obtains F(a.x). 
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that the server computes private to the client, but they differ in that the client supplies the data input and the server 
supplies (a program that evaluates) the function in blind transformation, while it is the other way around in secure 
mobile computing. Note that blind transformation allows some portion of the data (e.g.. a) to be in clear. This enables 
use of some dynamic yet clear data in the rendering process, such as display window sjze, reference positions for 

5 shifting content, scaling factor and coefficients in a rotation operation, 

[01041 Blind transformation works only if there exist functions F and F to compute the encrypted data. It can be 
shown that multivariate, integer coefficient affine functions using additive encryption schemes permit many document 
rendering functions of the affine type on the x- and y-coordinates to be evaluated in blind transformation. For a given 
encryption scheme S, a function F: X -> X issaid to be S-blindly computable if there exists some function F : X -> X 

10 such that the computational complexity for evaluating F is a polynomial of the one for evaluating F ( and 



20 



F(a,x) = D k ' 1 (F(a,E k (x))) 



for any k £ K and x G X. A function F; X -> X is said to be blindly computable if there exists an encryption scheme S 
with X being a subset of its message space such that F is S-blindly computable. 

[01 05] Any multivariate, integer-coefficient affine function is S-blindly computable for any additive encryption scheme. 
Specifically, let 



ft 



25 be a multivariate affine function with a constant Xq <= X, integer coefficients a, and variables x„ ... x k in X. Then, for 
any key k G K, there exists a computationally efficient function 



30 



35 



such that 



40 indeed, the constant y 0 and integer coefficients b, in * can be taken to be y 0 = E k (xo). bj = a,, U 1 , .... k. The 

blind transformation of multivariate, integer coefficient affine functions using additive encryption schemes allows many 
document rendering functions of the affine type on the x-and y<oordinates to be evaluated in the blind manner, pro- 
viding a theoretical foundation for the format-preserving encryption and trusted rendering of documents described 
herein. 

45 [01 06] A document is usually a message that conforms to a certain format. For document encryption in addition to 
simply encrypting the entire document, there are many different ways lo encrypt only some parts o1 the document. The 
goal here is that the information leakage aboul ihe unencrypted portion cannot be used, or il it does leak, .1 is cornpu- 
trtionKlh' diliicuh u. re/con; iruri Ihc- c.ic-.c;\ oripinfci ocr.-: timer.. 

[0107] " It an encryption scheme which preserves lormatting inlormation ot the digital work, then any transformation 
so function (replay application or rendering application) may be used. An example of a format preserving encryption meth- 
od is described for convenience with reference to token-based documents. The method for format-preserving encryp- 
tion can be easily extended or applied to documents in other formats (such as HTML/XML, Microsoft WORD, Acrobat 
PDF, etc ) In a token-based format such as the Xerox DigiPaper, each page image of a document is represented as 
a "dictionary" of token images (such as characters and graphics elements) and location information (indicating where 
55 those token images appear in the page). Thus, multiple occurrences of the same token in the document can be rep- 
resented using just a single image of that token in the dictionary. 

[01 08] The process of rendering a document in such a format is then accomplished by consecutively reading in token 
locations, retrieving images of the tokens from the dictionary and drawing the images at the specified locations. The 
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5 F25L m £>r t C °T nien . C L 6 ' 8 ,oken - based docunnert D °< P ^9es Is formally modeled as a table (dictionary) of tokens 
T of size ITI, together with.a sequence.otP.tabl.es of.locations U of size IU (1 s I s P) representing the Pm« 

Lol^lni h "JSf •' °.f '°V ab,e ^ iS 8 ,rip ' 6 (^W^VM) representing the k-ih token occurrence i-th 
w <X h f 9 l ' re dfk) ' S the ,0kSn ldentifier ' and x[k) ' Vf k l are " s * ycoordinate differences from the previous 
" (k-1 -th token occurrence in thepage. Forexample, take the simple document shown in Figure 11 betoken d£Z™ 

0110] The schemai,c pseudo-code Render(D) below shows how page images of a document D are rendered In 
the code, y 0 are the base references for the x- and y-coordinates for each page, LookupmdM s a subline 

w given identifier, and Draw(x,y,t) is a subroutine that draws the token image t at the location (x.y). 

Render(D) 

SO J 

Load T into memory 
fori=ltoPdo 

{ 

Load Lj into memory 

30 X s= Xo 

y = yo 

fork= 1 to IU do 
{ 

x « x + x[k] 

y = y+y[k] 

t = Lookup(T,id[k]) 

Draw(x,y,t) 

} 

%5 

) 
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""l " *' 11 : 10 ,he «h'«'n 9 tran.1orm.Uon x- = x ♦ a, y = y + b as used in the schematic rendering process 

?01 121 S aL' Th?* "7 ^ ^ "T""" 6 transf — 18 * h * ™y occur during the document rendering 
[01 12 Scaling, The scaling transfo motion is of the form x' = ax, y = by, where a and b are scaling factors for the x 

S n ^ZZ C T n t r T SC8,,n9 b6 ° aUfied by re8iZi " 9 the winded pnntpap'r 

[0113] Rotation. The rotation transformation is . K y K 
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for some constants a, b, c, d, which form a 2-by-2 rotation matrix. This transformation is needed when the page image 

[oilT Affme Transformation. An affine transformation is one of the form x = ax + by + e; y = cx + dy + f for some 
constants a, b, c, d, e, f. In the /ector form, it is: 



Clearly shifting scaling and rotation transformations are special cases of affine transformations. It Is those affine type 
transformations that make It possible to achieve a high-level trusted rendering under encryption of coordinate infor- 
mation using additive encryption schemes described below. .ur„^ 
r0115] A special class of encryption schemes, namely, additive encryption schemes, are used to carry out Mind 
transformation of functions of the affine type, which provides a foundation for trusted I rendering h °' 
transformation by a rendering transformation R and FT of an encrypted document satisf.es the relationship. D(R (E(x))) 
= R(D(E(x))), where E is an encryption function and D is a decryption function for E. If E(x) is an addrtive encrypt.on 

mva' ^encryption scheme S generally consists of basically five components: (i) a message space X which is a 
collection of possible messages, (ii) a ciphertext space Y which is a collection of possible encrypted messages, (ni; a 
key space K which is a set of possible keys, (iv) a computationally efficient encryption function E: Kx X-* V and (v) 
a computationally efficient decryption function O: Kx Y-*X . For each key k £ K, there ,s a unique ^.eK.«* 
that the encryption function E k = E(K) : X-» Y and decryption function ^ = 0[lc\) : Y -» X satisfy that, for every 
message x e X (£* M) = * The key k is called an encryption key and k-i its corresponding decryption key. 
r0117l Such defined encryption schemes can be varied in several ways to cover a wide range of concrete encryption 
schemes used in practice. One variation is to consider whether or not keys used for encryption and decryption are 
different. In the case where all encryption keys k are same as their corresponding decryption keys k-i. the scheme is 
a symmetric (or private-key) one; otherwise, the scheme is asymmetric. In the case where, for all possible k, k" is 
different from k and computationally difficult to derive from k, the scheme is a public-key encryption scheme. 
[01181 Another variation is to differentiate deterministic and probabilistic encryption schemes. In a determin'shc 
scheme, all the encryption and decryption functions E k and D k ;, are deterministic functions, while in a probabilis ic 
scheme the encryption function E k can be non-deterministic, namely, applying the function to a message twice may 
result in two different encrypted messages. . 
r0119l An additive encryption scheme is an encryption scheme whose message space X and ciphertext space Y 
possess someaddiuvestructures and encry^^ 

structures Specifically, let X = (X. +, 0) and Y = (Y,©,0) be two commutative semigroups with (possibly different) zero 
elements 0 satisfying, for example, for all x. x + 0 = x and 0 + x = x, and efficient operations + and ©. An encryption 
s hTmels said » teLdMh. if, for any k e K and any x, * E X, E k (x + x") = E k (x, © EtfO . - the operation © does 
not reveal the clear messages x and x\ The last condition on © makes additive encryption schemes non-tn via . Without 
this condition the operation © on Y can be trivially defined y © y = E k (D k . l( y) + D M (y')); .hat is, it is accomplished by 
first decrvptino the araumenlf. then adding them together and finally re-encryplinc the result. 

,O120j Closc-lv retell .<• fcoc.iiive f.ncryptior. ,cnen,c, « r.-. U llirfe:m> ««. . >x, encryption scheme is said to br- 
multiplicative if its spaces X and Y have the ring structures (i.e., in addition to their additive structures, they have 
respective multiplications x and ® that are distributive over their additions + and ©, and multiplicative identities), the 
encryption function E k is homomorphic with respect to the multiplications. E k (x x xT = E k (x) 9 E k (>0; and the operation 

® does not reveal the clear messages x and x'. 

r0121l In qeneral. additive (as well as multiplicative) encryption schemes are not non-malleable, since a non-malle- 
able scheme requires that, given an encrypted message it is (at leastcomputationally) impossible to generate a differen 
encrypted message so that the respective clear messages are related. Accordingty, they have a weakness against 
active attacks where the adversary attempts to delete, add or alterin some other way the encrypted messages. How- 
ever when these schemes are used to encrypt documents, extra measures in data integrity and message authentication 
can be taken to reduce risks caused by these active attacks on document integrity as well as confidentiality. Moreover. 



17 



BNSOOCID: <EP tH6716Al_L> 



EP 1 146 715 A1 

^ and nature, manner. In 

» additive. Nevertheless, there are rnanv eZZTjLt 9 non - addltlve or at least Wng able to convert Into non- 
format.preservlng •norSSZLS^^r^'SS^ ** Mn be US6d ,n the method «" 

(probabilistic) and RSA are eM&oi^Z *^ 9 ? ' an(S EQ (three ^termlnistic schemes), OU 
may be used in the ton?pSS5 SSS^ ^ ^ ^ ^ ° f VU,nerabil *V to *«"*> 

»o S25f Mu ' ti P',! Cative Cipher < Mult > is 8 symmetric encryption scheme where X - Y - z. in 1 «w 

'0 integer n > 0. The encryption of a message x using a key a is x ~ Y - A, = (0, 1 , . .. n-1} for some 

y = E aM = axfmod n) 
'« and the decryption of a message y using a key a is 

x = D a (y) = a" 1 y(modn), 

» where a-' is the multiplicative inverse of a modulo n 

[0124] Exponential Cipher (Exp) is a symmetric cipher where X - Z. and th. m - - 

prime P , and K is the set of all generators of the mtoM^JL'Jp c P Spa °° Y = ^ for some 

function is defined as the exponential function mUl " PlCa,IVe 9roUp Z r For an V 3 en ^tor g e K, the encryption 

25 

E fl M - g x (mod p), 
while the decryption function is defined as the logarithm function 

30 

D g (y) = iog g y (mod ( P -i)). 

number r G Z'^: ^ ( P) G ^ ° nCryptlon E « (x ' r > de P ends °" ■ umfomiy chosen random 

40 E a M = (g r (mod p), xo r (mod p)) = (s,t). 

For an encrypted message (s, t), the decryption function is defined as. 

45 D u (s,t) = t(sV (modp). 

E«(x, r) e E a (x", r) = (s, t) © (s , ,■> = (s , t + r) = ^ (x + x , (m£)d p) _ () 
nuSr ^ " ■"*- a ba ™ - B« are encrypted using a same random 

Lecture Notes in Computer Science 1 403 308 3 Ta 1 Z S W TL? 38 SeCUfe 88 Fac,orin 9"' &«WW1 
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n = «*,. Choose g e T n at random such that the order of g, = gr '(mod P 2 ) h P- L* = 9" n) ' ]J 
spacVxoftoeOUschemeisthese^^ 

soace Y Is Z_ For a user, a public key Is a tuple (n. g, h. k) and its correspond^ private key » the pair (p. q) of the 
primes To encrypt a message x S X a random number r 6 Z„ is chosen uniform* Thence encrypted message ,s 

y = E (ngW) (x,r) = gV(modn). 

To decrypt the encrypted message y, a 'logarithmic' function LT -» r, 

L(x) = (x - 1)p -1 (modp 2 ) 

used, where r h the p-Sylow subgroup of Z' p2 , i.e.. r = <x <= Z' p2 1 x - 1(mod p)}. With the function L. the decryption 



IS 

is function is 



so 



40 



x = D, 



p.q 



(y) = Uy^ 1 (mod p 2 ))Ug P )" V° d p 2 )- 



[0129] New additive encryption schemes can be constructed from existing ones via the composlt on "nsU^onirf 
encryption schemes. The composrtion construction can also be used to construct add^e encrypt on schemes f orn 
ToSL ones. For instance, the composition of the exponential cipher Exp and any mult.pl.cat.ve encrypt.on 
scheme S (such as RSA) results in an additive one. 

ST AddBv. encryption schemes enable blind transformation with partialiy encrypted data, which serves ^foun- 
dation for trusted rendering of documents, as discussed above. In particular, additive encrypt.on schemes can be used 
to perform blind transformation of affine functions with clear coefficients and encrypted vanables. Hirtinnarv 
0131] Returningtotheexampleofatoken-baseddocument.s^ 

T of token knage. and a sequence of location tables Lj (one for each page image), the ,dea is to encrypt £e contort 
ofthedictionaryTandlocation tables !h, resuming inadictionaryTcf encrypted |^. n ™^^^ L jf 
locations Recall that the dictionary T consists of a collection of pairs (HQ, fty). J = 1. — m. Associated with T is a 
SXhto rendering^ that, given a valid token identfier id, returns its correspond-ng token image 
t in 7" encrypting the dictionary T, there are three basic choices: encrypting token identifiers, token .mages, or both. 

fnaddmo .encrypting token images protects proprietary token images. In any case, . ls H d ff et °f 0WV ^ a ^ 
Em. dfctionary^only within the rendering process P, while making ft computationally dflfcuK to °Ja.n a copy oHhe 
entire clear contents of the dictionary. This is possible because in many cases the valid identifiers (e.g., Huffman 
Selweonlyav^^ 

Se Jctlonai is that the encrypted dictionary T and the corresponding subroutine Lookup' satisfy the following con- 

straints: 

(1) For any encrypted identifier E k (id), Lookup'(T t E k (id)) = E k (Lookup(T,id)) and 

(2) Given T and Lookup", it is computationally ihfeasible to reconstruct T 

[0 1 33] For an encryption scheme S, T and Lookup' can be conslrucled as follows . Lei ID be the sel ol 
possible identifiers: in particular ID'c ID, where ID' = {id I fid : t) e T}. Let h be a one-way hash function whose doma n 
I IL . -i .*«, n* c-nc.rypK-cl token dir.tioi.Bri ■ , Afnv*.' .u.r..\ » letter : u , *ve-.-. ;i< t Y, ft.* »• » <■■ r** IU*i.M" ' 
inserted into T. The moditied subroutine Lookup' uses the algorithm: 



50 



55 



BNSDOCID: <£P 1146715A1J_> 



19 



EP 1 146 715 A1 



Lookup'(r4d) 

{ 

id' = h(id) 

f sLookupfT^d') 

return (t*) 

} 



compression ram. TOs may be undesirable for token-based documents as acWevtoo ^ m^T, document 
Is one of the design goals for token-based documents ocuments - as achlev i"9 a good document compression 



Render(D) 

f 
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fori .= 1 to P do 
{ 

Load Lj into memory 
x = Ek(xo) 
y=Et(yo) 
forks 1 to LI do 

{ 

y = yey[k] 



10 



25 



t = Lookup'fT4d[k]) 

Draw'Cx.y.t) 

) 



} 

} 

Draw'(x,y,t) 
{ 



x = Dk-i(x) 
y=Dk-i(y) 
t = Dk-i(t) 
Draw(x,y,t) 



} 



During the process, all the coordinate and token image information remains encrypted before calling the subroutine 
DraW(x y t) This is possible for the coordinate information because the encryption scheme is additive. Consequently, 
the content protection level and rendering process performance of the rendering process rely on the secumy strength 
« and computational complexity of the scheme used. 

101381 In anolher embodimeni ol the invention, a digiial work is polarized enabling trusted rendering or replay of the 
dioital work wilhoul depolarization ol the digiial conlenl or iho prewnlallon dale. In Ihir embodimeni, Ihe digiial work 
i< m type which induce* d.riu.. .-.(-..•tni and mouw Mon*>.» c uUc l t ; .< conlexl). Resource format. or. 

ineludesformatting information or other information used by a replay or rendering application to convert the digital work 

so into presentation data. _ 

[01391 Polarization is a type of transformation which renders the original content unreadable or unusable. Fore digital 
work w, a polarization scheme T, which uses a seed s. generates a polarized digital work W according to: w' = T(w s). 
The same transformation T may also be used to generate the polarized resource information S' according to S = T(S, 
s) In this example, a seed s is used to make reverse engineering of the polarization scheme more difficult. 

55 [01401 For example, a document type digital work may be polarized using a simple polarization scheme. In a docu- 
ment, the digital content comprises a series of characters in a particular order or location. If the document is to be 
displayed on a viewing device, each character must be able to be displayed at a particular location for viewing by a 
user on the viewing device, such as on a monitor. A coordinate system is required for displaying each character on 
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appears ai the top line, indented by five Spaces V Xamp,e ' * n this paragraph ' the letter " p 

(x,y) of each ieSer in the *JSS^^^^X^ b ^ " ^J*"** SUPP ° S6 ,he ' OCa,ion 
Men functions may be used topolaVe mTaC (9 ' b) fr0m 8 USe ' 8 » The «**B polar- 



Y = by, for the vertical axis; and 
} X = x/a, for the horizontal axis. 

[0142] 



The foilowing transformation tunctions are used te 9 eo m pS"bSS ^ S IKST ^ ^ 



y - J 09b( y ). the vertical axis; and 
X- aX, for the horizontal axis, 



where log^ is the logarithm with base b 

the resource information and SK^SS, ^ h. b as « m S8 ° 0,a "° n ; These «"»P'e™ntary polarized forms of 
While the replay application is ^Tt7^Z2^ZVT^ 'J?*™ mechan,8m to P«»ect the digital work. 
therepiayapVcaSlsa^ 

fSaS ^fpSt e 7d 6 S d — ° on the sens^ of 

of potation; a lowe'r valued woSy I^SEXZt lltoZ^T* T T ^ * ^ 
lower level of polarization may be used Anz^ZrlZl* P olar «ation. If the user's environment is trusted, a 
system resources to create the p^t^SLn^ ^ P ° lariZati ° n fe ,hat » re " uire * 

quality of the poiarization seed S a^^ di9lta ' ^ ^ *" and 

Resource information to be polarized may afeo £ orSS inln ^Tr* the manufactu ™ ° r »utor. 
!'•"•.. .!,( rf<«.-.. if i f n-f.iii,( ; . r . r .,,-.rir fr dipi.ai wr.l , ciivioec irn, ,1,,,.,- 

the polarization seed, polarization ol the digital workand Dolari7aiinnnHh»,„ ' ■' . ' ' peneralicT, ^ 

seed is generated, the polarization engine S^XT^Z^- ln '°' mali °"- Once the polarization 

the resource information, Bna^m^^SS^^S^^ **** ** hput the digital work or 
thetransformationfunctionseededS 

resource intension is utilized to £^tC££^ 
trans r , ionfu anfeeu ^ 

2s jss: ^r^s^^z^ri ,o : i9ure 14 a -*»■ ^ ^ o 
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the digital content is polarized and the resource information is preserved, creating polarized digital work 1422. The 
content polarization 1420 may occur as shown with reference to Figure 9. A digital work typically mcludes content, 
instructions and formatting. While polarization can occur to the entire digital work, preferably only the content is polar- 
ized- the instructions and formatting are not polarized. However, in some instances, for some replay applications, some 
5 of the resource information contained within the digital work may also be polarized. This is similar for the format pre- 
serving encryption method described above. 

[0149] Resource extraction 1412 extracts at least one resource information from the set of resource information 
associated with digital work 1410. Extraction consists of copying the resource information into a system resource file 
1414 System resource 1414 is then polarized at resource polarization 1416 to become polarized system resource 
10 1424 The polarization scheme for content polarization and resource polarization need not be the same. Preferably, 
each polarization scheme employs a polarization seed 1418 which is generated by seed generator 1426 Several 
exemplary methods for seed generation are described below In particular, in a preferred embodiment, the polanzation 
seed is based on unique information from the user's system. 

[01 501 Several techniques for generation of the polarization seed may be used. For example, a seed generator which 
15 generates a number from a random number generator may be used. This method, referred to as stateless polarization, 
does not depend on any secret key information and user system information. The process for stateless polarization 
yields a specific value for the system for polarization. The Inherent vulnerability for digital security systems may be 
found In mishandling secret information, mathematical complexity, and algorithmic complexity. Eliminating the secret 
information seals off one target of attack. With stateless polarization, a random number generator produces the polar- 
20 ization seed. In this case, once the polarization process is complete the seed is discarded without a trace. Hence the 
security of the system is free from attack focused on compromising the secret information, and the user need not 
divulge sensitive information that may be deemed a privacy violation; 

[01 51 1 Another seed generator that may be used is a state-based generator. The state-based seed generator con- 
structs a seed by first acquiring system state information from the user's replay system or rendering device. System 

25 state information includes hardware identifiers, system settings and other system state-related information. White there 
is much value in stateless polarization, other security requirements may require use of an inseparable link to a particular 
user system or device. By generating the polarization seed from system/device-specific information, the polarization 
engine will produce a digital work that is polarized to a form that corresponds to a specific system/device. 
[01 52] The polarization seed generator can also be tied to an authorization process. In authorization-based polari- 

30 zation the seed generation can be tie in with the outcome of the authorization process. A separate authorization 
repository (which is a trusted source) provide authorization information as part of some other security feature associated 
with delivering access to a digital work to a user. The trusted source of authorization information may be an online 
authorization repository as described in US Patent No. 5,629,980. This authorization information is then used to gen- 
erate a polarization seed. . 

35 [01 53] If a stateless polarization seed is used, the digital work and its resource information may be polarized ana 
stored together for delivery to a user when a user purchases the associated rights of use for the particular digital work. 
If one of the other polarization seed generation methods is used, polarization typically must wait until the user provides 
the system state or authorization information before the digital work and resource information may be polarized. 
[01 54] An embodiment which provides a higher level of protection in terms of ensuring that the digital work may be 

40 replayed only on a specific physical system or device uses a dynamic state-based polarization seed. In this embod.- 
ment, a polarization engine and polarization seed generator must be provided to the replay application or rendering 
device along with the digital work and resource information. In this embodiment, the digital work and resource infor- 
mation are polarized prior to replay and rendering using a seed which is generated based on the dynamic state of the 
particular system or device. The dynamic state may come, for example, from the system clock, CPU utilization, hard 

45 drive allocation, cursor coordinates, etc. By polarizing the work using a snapshot of a dynamic state: the work is locked 
to a particular system configuration {i.e., state) in time. Polarization of the digiial work, and ultimately its blind replay 
(described below) is based upon a dynamically evolving stale. The evolution of the dynamic stale does not yield unique 
* ecrei infomistior,' ihd eIu.** repefaiabHiiy ol ir* puiariiBiiw. h;^: : , zut i.*.K.f en namic-state based polarization 
makes compromising the polarized digital work and system context more ditlicult. Since the polarization process is 

so carried out within a trusted system, it is implied that the process can not be deconstructed. 

[0155] The actual process of polarization can be, as described in the example above, an algorithmic-based trans- 
formation -parameterized by the polarization seed. During polarization, the data and resource identifiers of the digital 
work are transformed as described above. The structure of the digital work is unaltered, however, such that the onginal 
format, such as PDF, DOC, WAV, or other format, is retained much like in the format preserving encryption. Similarly 

55 the polarization of the resource information yields a polarized form of the resource information such that the resource 
identifiers, element identifiers and resource characteristics are transformed, yet the structure of the system context 
remains unaltered. By polarizing the digital work and resource information according to the same seed based on a 
user's specific device or system information, an inseparable relationship is established such that the work cannot be 
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on a disp,ay system. ,f a content ow^e dSs no,^ o SKSj^STtr' 8 VieWer or 

users who wil. receive the wo*), the digital JX^R^Z^^'^^^*^* 
other protection for direct use by any user. ' any encodln 9. encryption or 

[0158] If the digital work is downloaded onto the user's svstem it i<s tvniraiiu *t~~* . 

provided via a storage media, such as floppy J^S^i ^^^LT^^^^ 
directly from storage media DVD-ROM, the digital work is usually accessed 

[0159] 



[0159] In order to play the digital work, referring to Figure 15 the dlaltal work i«?mkr, m „ w „. 
1512. In the case of a document or other type of dtaltal wort , ™ , , P rovWe dto a replay application 

mation, the digita, work will inc.ude dScoZ S^eso^ 
or system resources needed by the iSEK LX^ J T T, " 9 ' 0rth ,he particular s y stem ««•* 
may be a text document in whl h t ZT^ZZ^aX^T' Forexam P' 8 . tha <*9ltalwork 1510 
resource information on digital wJ^^mSS^^tJ^ I " 1512 accesses 

151 6 (which in this case is L AriaHont K *1 f ' 80068868 the a PP ro P riate ^tem resources 

into presentation data 1514 > ^ US<3S SyStem resouroe infomla,l ° n t0 «™ert the digital content 

eh, is^sa^^ ° on, r r° presentation data is ^ * - * «*• 

case of a dsp £ m^TsT^Zo^r^^Z:^ TT. "* ^ COnverted - For exam P'°. the 
application 1** "enderin^^^ 

uses other system resources 151 6 to transform thenr^™^™ w^e^T I Rendering application 1518 

in aform which can be dlrect.y disp. da ? 1520 ' — 1520 is 

[0161, ,n addKion to the earlier deLbed systems"^ ^Zstr p^ 

work may be protected during replay by polarizlno the diaitai wo* in B „u 9 . " 9 replay ' a d ' 9,tal 

produces polarized content and pr^es^XllZX ?f ordance with a first polarization scheme which 
information is copied and Sze^n 

application 1 61 2uses J%£Z S££S£2£l SSSSSfT* * ^ ^ 

may be required) to transform the polarize^d^^ ' nfomiati0n 1616 *« 

necessarian theclear, which means it can be capu^ 

[0162] The polarized resource information can be thouqht of as actino Ilk* a r, ft i„ri,i,.„ » u . • 

digital content into a clear image (presentation ctatri Thk Lc.L k?- , P olanz ">9 ''Iter to bring the polarized 

which can be any commerc^^ 

for any transformation function R such ^^^^ 

digital content, s' is the polarized resourcT nfo^t nn , , h P ° larlZed d ' 9ital content ' w te ,he °lear 

the polarized digital work and polarized resound 2 ■! ° r69U ' ar encr yP ti{ >"- For example, 

decrypted at Juser-s ^^^SS^%££%2 * T ' ^ diStr,bUt,0n ' then 
obtain permission from the content owner orthe 'SZ^^^SiTT 0 ' n,0rmatton - ^ ^er must first 
theenc^teddig^ 

[0164] The complexity of rendering a dig*a, wo* into a usable form for viewing by a user can be used to further 
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protect the digital work during replay. Referring to Figure 1 7, polarized digital work 1 71 0 is provided to replay application 
1712 which uses polarized system resources 1716 and other system resources 1718 to transform polanzed digital 
work 171 0 into partially polarized presentation data 1 714. In this embodiment, display system 1728 is needed to trans- 
form presentation data into a form usable by the user. Partially polarized presentation data 1 ,71 4 is provided to rendering 
application 1720 which uses polarized system resources 1716. local system resources 1722 and system resources 
1 71 8 to transform the partially polarized presentation data 1714 into dear image data 1 724. Clear image data 1 724 is 
then displayed on display device 1726 for use by the user. In this embodiment, presentation data is still polanzed, 
taking the location of the clear data to a later point of the display process and providing further protection. 
[01651 To enhance usability of the system for polarization of digital works, the polarized resource information may 
be separated from the digital work and tied to a transportable device such as a smart card. In this embodiment, the 
replay application 1 712 plays back the work using the polarized system resources 171 6. Instead of having the polanzed 
system resources 1716 stored in a local memory, along with the polarized digital work. 1710, the polarized system 
resources 1716 is stored in a transportable device such as a smart card. Also, the smart card, possibly with hardware- 
enhanced features, may possess attributes that provide for tamper resistance. Within the transportable context, the 
polarized data is processed by the replay application 1712 to yield the partially polarized presentation data and then 
provided to the rendering application 1720. ' 
[01661 Many different types of digital works can be protected throughout use using the polarization method. For 
example if the digital work Is a document or text (lie, the replay application may be a word processor, system resources 
or resource information may include font tables, page layout, and color tables. If the digital work is audio or video data 
(e g streams) the replay application may be an audio or video player. The presentation data will be the audio/video 
final data stream. The display system may be an audio/video device. The rendering application may be the audio/video 
device driver. The image data may be the audio/video device data stream and the display device may be the audio/ 
video rendering device (speaker or monitor, for example). 

[0167] For a digital work that is an audio/video data stream, the system resources or resource information may 
"include characteristics of the audio/video device: sample rate (samples per second - e.g.. 8 kHz, 44.1kHz), sample 
quality (bits per sample - e.g., 8. 16); sample type (number of channels - e.g., 1 for mono, 2 for stereo), and sample 
format (instructions and data blocks). A table of some audio/video data streams and their corresponding resource 
information or variable parameters which can be selected for polarization is set forth below: 

Tablet: 
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Digital Work: A/V Data (Streams) 




Extension 


Origin 


Variable Parameters (#Fixed) 


Compression 


Player 


.mp3 


MPEG standard 


sample rate, quality, #type 


MPEG 


MP3 Player 


.ra 


Real Networks 


sample rate, quality, #type 


Plug-ins 


Real Player 


.wav 


Microsoft 


sample rate, quality, #type 


ADPCM 


Window Media 


.snd 


Apple 


sample rate, #quality, #type 


MACE 


QuickTime 



[0168] The structure of a digital work can be used advantageously for polarization. While it is possible to polarize 
the entire digital work, it is more convenient to polarize only a portion of the digital work. Most digital works include 
three primary elements: Instructions, data, and resources. Preferably, only the data and resources of the digital work 
are polarized much like the format preserving encryption method described above. By selectively transforming only 
the data and resources , a digital work may be transformed such that the content remains in the original format, yet the 
data and resources are incomprehensible. 

[0169} The general layout of a digital work of the document type is shown in Figure- 1 6. In Figure 1 8, digital work 1 50 
include- f-ane Descriplcr iC; , Ccnlrol Cede-.-; M* t if* enf 1C:.. Rescind Ir-c-r.lilir : if ( ; fcnr: Psln 160 anc' 104. "lin- 
kage Descriptors 152 define the general layout oi b work. Hor instance, me payt tizt, page- number ana margins tali 
into the category of Page Descriptors with respect to digital documents. Control Codes 154, 158 and 162 are similar 
in that they describe the presentation of the content. Examples include commands to set text position, output text, set 
font type, and set current screen coordinates. Resource Identifiers 1 56 simply reference the desired resources. In the 
digital document realm, resources could vary from font typeface to background color. Finally, Data 160, 164 represent 
the core information communicated by the digital work. This could be the drawing coordinates used in a multimedia 
clip or the character codes for rendering as a digital document, 

[0170] An example of a digital work (in this case a simple digital document) and one of its polarized forms are shown 
in Figures 1 9 and 20, an HTML document in clear and polarized form. The tags <html> and <body> are Page Descrip- 
tors The <font> .<\font> tag is an example of a Control Code for setting font resource characteristics, while "Anal" 
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the Resource Identifiers-Arial" l^^Ze Zt^nTZt %T T m Un0han 9 ed ' Whereas ' 

World", has also been transformed to an \nZ pherab 1^111^ "Tl^ S ' milarty ' th6 Data ' " Hell ° 
the content is rendered mMnln^SlteKSJ^r ^TT" 9 the ReS0UrCe ,dentiflere and th * Data 
Codes remain intact allows fo th^m m ,he De8cri P to * a " d Control 

» RealNetworks RAM, Apple QuickTime etc original format, which in general could be HTML, Adobe PDF, 

S2 -tra^Sfoa 3 ^ * of as the cdecUon of 

Color Palette, System Coordinates and Volume s^ino iT L^f? SXamp ' e ' " may incllJde the Font Table, 
application uses the P^S^^S^^^ * input to 8 repla V ■****»>. the rep^ 

« into presentation data Eacht^Se^ di9ital work t0 ,ransf0 ™ tha -W" content 

to be unique to a system 'or wZlT^ 

digital work, tying use of the digital work to a iDaclte .^^^^ f ^ ^ e,ement for the use * tne 
Resource Identifiers and Data within the diaitaS mT?Z?T ^ * AC *° r ^ ****** ior re P lav - ™e 
within the systemcontext. Polan^c ,h dio ta worked 1? " r6,erenCe e,emente 

• data. By po.arizing the system -te^ ^ 

system context can be a unique environment to^JtomZE^ ^ -T q 8yStem ' the resultln 9 P olarized 
w«h the same polarization sU may b^^^^ 

^ '°™ationforothersystemcompone^^^ 

within the resource. Finally, the Charac erisS a™ th! ZZu " ,he identlfier of an individual 

resource element. ^aractenstics are the actual source characteristics used to express the individual 

enough to transform the resource chamcterlstolne ^ 

characteristics for V instead of 'a' depicted as transformed to express the 

E p££!Zl^ - works. ,n addKion to doc, 

provided in the form of streams. A roS^S^^^SS^, V ^ data " 9eneral,v 

stream into a final data stream which'can bTprocessed by a «u Cer P ^ ^ audio/video 
into a video image. processed Dy a transducer (speaker) into an audio output or by a display 

video device. It uses the audioLeo system reso^TL T™! aCCepted * a audio/ 

mixes the resampled audla^aJt^r^S^ Ll audLT "1 """""^ aUd ' 0/Vide ° and the " 

device. ,n the case of an audio/video f^^Z^S^iSZi m,* T*!, * "* ^ " 

sample rate , pual(ty , ^ and fo(mat expecte£j fa p a targ ZZZl ^ M aM, "° S,ream al some 

., PAI or NTSC, u ,,, J~« f ^ ?! ^ ^ 6 ^ *» 6*"- 0 and forma, 
monitors and the digital lo anaio 9 convener located wil.L, ,f,C,Ud6 EOUnd car ^ speaker* , 

video streams at a range of different saZ e rates ^ Ma " y ° eViCeS are 86,6 10 P la y audi °' 

? 0 T;r d F by,hea r ildeodeviced= 

informal: sampie rates, channT^^ «stics (resource 

more of the stream's sample rates, channels qualities andT for^to t? 7 5 , eVIC6 charac,e "'s«cs (one or 
resource information. qualities and/or formats) may also be polarized to generate the polarized 

[0180] B'^-Playofthepolarizedaudio/videostreamisaccomplishedinasimilarmannerasforapoia^ 
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document.The replay application (audio/vrieo player) mixes together the unpolarized stream and the polarized stream, 
and using the polarized resource information, produces a polarized final data stream for the target aud.o/v.deo dev.ce 
with a covert set of resource information. The target device (1 720) uses the polarized resource informal to play the 
Dolarized data stream generating clear sound/visual effects (1724). , 

r0181] While certain exemplary embodiments of the invention have been described in detail above, it should be 
recognized that other forms, alternatives, modifications, versions and variations of the invention are equally operative 
and would be apparent to those skilled in the art. The disclosure is not intended to limit the invention to any parhcular 
embodiment, and is intended to embrace all such forms, alternatives, modifications, versions and variations. For ex- 
ample the portions of the invention described above that are described as software components could be implemented 
as hardware. Moreover, while certain functional blocks are described herein as separate and independent from each 
other these functional blocks can be consolidated and performed on a single general-purpose computer, or further 
broken down into sub-functions as recognized in the art. Accordingly, the true scope of the invention is intended to 
cover all alternatives, modifications, and equivalents and should be determined with reference to the claims set forth 



below. 



Claims 



1. 



A method of protecting a digital work, z, during transformation by a transformation function, F, into presentation 
20 data F(z), comprising: 

encrypting the digital work, z, in accordance with an encryption scheme, E; 

using a blind transformation function F to transform th e encrypted digital work E(z) into encrypted presentation 
data, F'(E(z)), wherein F is a function of F; and 
25 decrying the encrypted presentation data, F(E(z)), in accordance with a decryption function, D, to obtain 

the presentation data, F(z), wherein D(F(E(z)) = F(z). 

2. The method of claim 1 , wherein the encryption scheme E is a format preserving encryption scheme. 

30 3. The method of claim 1 , wherein the encryption function E is an additive encryption scheme and wherein F = F. 

4. The method of claim 3, wherein the additive encryption scheme is selected from the group consisting of Mult, Exp, 
EG, OU, RSA and compositions thereof. 

35 5. The method of claim 1, wherein F is a polynomial of F. 

6. A system of protecting a digital work, z, during transformation by a transformation function, F, into presentation 
data F(z), comprising: 

40 an encryption engine for encrypting the digital work z in accordance with an encryption scheme, E; 

a blind transformation function F for transforming the encrypted digital work E(z) into encrypted presentation 
data, F(E(z)), wherein F is a function of F; and 

a decryption engine for decrypting the encrypted presentation data, F(E(z)), in accordance with a decryption 
function, D, to obtain the presentation data, F(z), wherein D(F(E(z)) = F(z). 

45 

7. The system ol claim 6, wherein the encryption scheme E is a format preserving encryption scheme: 

L. 1 m rysierr. ol claim ( , */i.erei.-. the encryption Undid. . u ei. faoclfth-t .nnvpiion scheme and wherein F = P. 

so 9. The system of claim B, wherein the additive encryption scheme is selected from the group consisting of Mult, Exp, 
EG, OU, RSA and compositions thereof. 

10. The system of claim 6, wherein F is a polynomial of F. 
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